Cybersecurity researchers have disclosed a brand new phishing marketing campaign that has focused European corporations with an purpose to reap account credentials and take management of the victims’ Microsoft Azure cloud infrastructure.
The marketing campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot instruments within the assault chain. Targets embody at the least 20,000 automotive, chemical, and industrial compound manufacturing customers in Europe.
“The marketing campaign’s phishing makes an attempt peaked in June 2024, with pretend varieties created utilizing the HubSpot Free Kind Builder service,” safety researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo stated in a report shared with The Hacker Information.
The assaults contain sending phishing emails with Docusign-themed lures that urge recipients to view a doc, which then redirects customers to malicious HubSpot Free Kind Builder hyperlinks, from the place they’re led to a pretend Workplace 365 Outlook Net App login web page with the intention to steal their credentials.
Unit 42 stated it recognized a minimum of 17 working Free Types used to redirect victims to completely different risk actor-controlled domains. A big chunk of these domains had been hosted on the “.buzz” top-level area (TLD).
“The phishing marketing campaign was hosted throughout varied providers, together with Bulletproof VPS host,” the corporate stated. “[The threat actor] additionally used this infrastructure for accessing compromised Microsoft Azure tenants throughout the account takeover operation.”
Upon gaining profitable entry to an account, the risk behind the marketing campaign has been discovered so as to add a brand new gadget underneath their management to the account in order to ascertain persistence.
“Risk actors directed the phishing marketing campaign to focus on the sufferer’s Microsoft Azure cloud infrastructure by way of credential harvesting assaults on the phishing sufferer’s endpoint laptop,” Unit 42 stated. “They then adopted this exercise with lateral motion operations to the cloud.”
The event comes as attackers have been noticed impersonating SharePoint in phishing emails which are designed to ship an data stealer malware household known as XLoader (a successor to Formbook).
Phishing assaults are additionally more and more discovering novel methods to bypass e-mail safety measures, the newest amongst them being the abuse of professional providers like Google Calendar and Google Drawings, in addition to spoofing e-mail safety supplier manufacturers, resembling Proofpoint, Barracuda Networks, Mimecast, and Virtru.
Those who exploit the belief related to Google providers contain sending emails together with a calendar (.ICS) file with a hyperlink to Google Types or Google Drawings. Customers who click on on the hyperlink are prompted to click on on one other one, which is often disguised as a reCAPTCHA or assist button. As soon as this hyperlink is clicked, the victims are forwarded to phony pages that perpetrate monetary scams.
Customers are suggested to allow the “recognized senders” setting in Google Calendar to guard towards this sort of phishing assault.